Transcript Chap 3

Attacks and Malicious Code
Chapter 3
Learning Objectives





Explain denial-of-service (DoS) attacks
Explain and discuss ping-of-death attacks
Identify major components used in a DDoS
attack and how they are installed
Understand major types of spoofing attacks
Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
continued…
Learning Objectives



Detail three types of social-engineering
attacks and explain why they can be
incredibly damaging
List major types of attacks used against
encrypted data
List major types of malicious software and
identify a countermeasure for each one
Denial-of-Service Attacks





Any malicious act that causes a system to
be unusable by its real user(s)
Take numerous forms
Are very common
Can be very costly
Major types


SYN flood
Smurf attack
SYN Flood


Exploits the TCP three-way handshake
Inhibits server’s ability to accept new TCP
connections
TCP Three-Way Handshake
Smurf



Non-OS specific attack that uses the
network to amplify its effect on the victim
Floods a host with ICMP
Saturates Internet connection with bogus
traffic and delays/prevents legitimate
traffic from reaching its destination
IP Fragmentation Attacks:
Ping of Death

Uses IP packet fragmentation techniques to
crash remote systems
Ping of Death
Distributed Denial-of-Service Attacks




Use hundreds of hosts on the Internet to attack
the victim by flooding its link to the Internet or
depriving it of resources
Used by hackers to target government and
business Internet sites
Automated tools; can be executed by script
kiddies
Result in temporary loss of access to a given site
and associated loss in revenue and prestige
Conducting DDoS Attacks
DDoS Countermeasures




Security patches from software vendors
Antivirus software
Firewalls
Ingress (inbound) and egress (outbound)
filtering
Ingress and Egress Filtering
Preventing the Network from
Inadvertently Attacking Others



Filter packets coming into the network
destined for a broadcast address
Turn off directed broadcasts on internal
routers
Block any packet from entering the
network that has a source address that is
not permissible on the Internet (see Figures
3-8 and 3-9)
continued…
Preventing the Network from
Inadvertently Attacking Others


Block at the firewall any packet that uses a
protocol or port that is not used for Internet
communications on the network
Block packets with a source address
originating inside your network from
entering your network
Ingress Filtering of Packets
with RFC 1918 Addresses
Filtering of Packets
with RFC 2827 Addresses
Spoofing


Act of falsely identifying a packet’s IP
address, MAC address, etc
Four primary types




IP address spoofing
ARP poisoning
Web spoofing
DNS spoofing
IP Address Spoofing


Used to exploit trust relationships between
two hosts
Involves creating an IP address with a
forged source address
ARP Poisoning


Used in man-in-the-middle and session
hijacking attacks; attacker takes over
victim’s IP address by corrupting ARP
caches of directly connected machines
Attack tools



ARPoison
Ettercap
Parasite
Web Spoofing


Convinces victim that he or she is visiting
a real and legitimate site
Considered both a man-in-the-middle
attack and a denial-of-service attack
Web Spoofing
DNS Spoofing



Aggressor poses as the victim’s legitimate
DNS server
Can direct users to a compromised server
Can redirect corporate e-mail through a
hacker’s server where it can be copied or
modified before sending mail to final
destination
To Thwart Spoofing Attacks

IP spoofing



Disable source routing on all internal routers
Filter out packets entering local network from
the Internet that have a source address of the
local network
ARP poisoning

Use network switches that have MAC binding
features
continued…
To Thwart Spoofing Attacks

Web spoofing


Educate users
DNS spoofing


Thoroughly secure DNS servers
Deploy anti-IP address spoofing measures
Man in the Middle


Class of attacks in which the attacker
places himself between two
communicating hosts and listens in on their
session
To protect against


Configure routers to ignore ICMP redirect
packets
Take measures to prevent ARP and DNS
spoofing
Man-in-the-Middle Attacks
Man-in-the-Middle Applications




Web spoofing
TCP session hijacking
Information theft
Other attacks (denial-of-service attacks,
corruption of transmitted data, traffic
analysis to gain information about victim’s
network)
Man-in-the-Middle Methods



ARP poisoning
ICMP redirects
DNS poisoning
Replay Attacks

Attempts to circumvent authentication
mechanisms by:


Recording authentication messages from a
legitimate user
Reissuing those messages in order to
impersonate the user and gain access to
systems
Replay Attack
TCP Session Hijacking


Attacker uses techniques to make the
victim believe he or she is connected to a
trusted host, when in fact the victim is
communicating with the attacker
Well-known tool

Hunt (Linux)
Attacker Using Victim’s TCP
Connection
Quick Quiz





The primary purpose of DoS attacks is to steal vital
information. (T/F)
Name three types of DoS attack.
The ping of death works based on using very large ICMP
packets that must be fragmented to send and when
reassembled are too large for the receiver’s buffer. (T/F)
How can a router stop packets from entering the network
whose source IP address is spoofed to look like an
internal address?
Which spoofing method fouls up name to IP address
mappings?
Social Engineering


Class of attacks that uses trickery on
people instead of computers
Goals





Fraud
Network intrusion
Industrial espionage
Identity theft
Desire to disrupt the system or network
Dumpster Diving
Online Attacks

Use chat and e-mails venues to exploit
trust relationships
Social Engineering Countermeasures


Take proper care of trash and discarded
items
Ensure that all system users have periodic
training about network security
Attacks Against Encrypted Data




Weak keys
Mathematical attacks
Birthday attack
Password guessing


Brute force
Dictionary
Weak Keys

Secret keys used in encryption that exhibit
regularities in encryption, or even a poor
level of encryption
Mathematical Attack


Attempts to decrypt encrypted data using
mathematics to find weaknesses in the
encryption algorithm
Categories of cryptanalysis



Cyphertext-only analysis
Known plaintext attack
Chosen plaintext attack
Birthday Attack

Class of brute-force mathematical attacks
that exploits mathematical weaknesses of
hash algorithms and one-way hash
functions
Password Guessing

Tricks authentication mechanisms by
determining a user’s password using
techniques such as brute force or dictionary
attacks
Brute Force

Method of breaking passwords that
involves computation of every possible
combination of characters for a password
of a given character length
Dictionary


Method of breaking passwords by using a
predetermined list of words as input to the
password hash
Only works against poorly chosen
passwords
Software Exploitation


Utilizes software vulnerabilities to gain
access and compromise systems
Example


Buffer overflow attack
To stop software exploits

Stay appraised of latest security patches
provided by software vendors
Malicious Software
Viruses


Self-replicating programs that spread by
“infecting” other programs
Damaging and costly
Virus Databases
Evolution of Virus Propagation
Techniques
Protecting Against Viruses

Enterprise virus protection solutions




Desktop antivirus programs
Virus filters for e-mail servers
Network appliances that detect and remove viruses
Instill good behaviors in users and system
administrators

Keep security patches and virus signature databases up
to date
Backdoor



Remote access program surreptitiously installed
on user computers that allows attacker to control
behavior of victim’s computer
Also known as remote access Trojans
Examples



Back Orifice 2000 (BO2K)
NetBus
Detection and elimination


Up-to-date antivirus software
Intrusion detection systems (IDS)
Trojan Horses


Class of malware that uses social
engineering to spread
Types of methods



Sending copies of itself to all recipients in
user’s address book
Deleting or modifying files
Installing backdoor/remote control programs
Logic Bombs





Set of computer instructions that lie dormant until
triggered by a specific event
Once triggered, the logic bomb performs a
malicious task
Almost impossible to detect until after triggered
Often the work of former employees
For example: macro virus

Uses auto-execution feature of specific applications
Worms




Self-contained program that uses security
flaws such as buffer overflows to remotely
compromise a victim and replicate itself to
that system
Do not infect other executable programs
Account for 80% of all malicious activity
on Internet
Examples: Code Red, Code Red II, Nimda
Defense Against Worms



Latest security updates for all servers
Network and host-based IDS
Antivirus programs
Chapter Summary

Mechanisms, countermeasures, and best
practices for:





Malicious software
Denial-of-service attacks
Software exploits
Social engineering
Attacks on encrypted data
Quick Quiz






What are the goals of social engineering?
A weak key in an encryption algorithm will always
mean the text can be easily decrypted. (T/F)
What are three strategies for cryptanalysis?
The _____________ attack is used to find collisions
of hash functions. complete
A ______________ __________________ is a
program that poses as something else, causing the
user to ‘willingly’ inflict the attack on him or her self.
Complete
Discuss why viruses and worms exist at all?
Motivation?